freeipa.git - FreeIPA project

	Commit message (Collapse)	Author	Age	Files	Lines
*	This patch removes the existing UI functionality, as a prep for adding the ↵	Adam Young	2010-07-29	1	-1/+0
\| \| \| \|	Javascript based ui.
*	Add permissions for named to communicate over ldapi	Rob Crittenden	2010-02-03	1	-1/+4
\|
*	Set the context of files needed by the selfsign CA so Apache can write them	Rob Crittenden	2009-12-16	2	-1/+6
\|
*	Add SELinux policy for UI assets	Rob Crittenden	2009-11-04	2	-1/+6
\| \| \| \| \| \| \| \|	This also removes the Index option of /ipa-assets as well as the deprecated IPADebug option. No need to build or install ipa_webgui anymore. Leaving in the code for reference purposes for now.
*	Add external CA signing and abstract out the RA backend	Rob Crittenden	2009-09-15	1	-0/+6
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
*	Many SELinux fixes: ldapi, ctypes and dogtag	Rob Crittenden	2009-09-10	1	-13/+7
\| \| \| \| \| \| \| \| \| \| \|	ldapi: grants httpd and krb5kdc to access the DS ldapi socket ctypes: the Python uuid module includes ctypes which makes httpd segfault due to SELinux problems. dogtag: remove the CRL publishing permissions. This only worked if you had dogtag installed. In the near future will publish elsewhere so for the time being CRL file publishing will be broken with SELinux enabled.
*	Allow httpd to read unix sockets so it can communicate to DS over ldapi	Rob Crittenden	2009-09-10	1	-0/+6
\|
*	Generate CRLs and make them available from the IPA web server	Rob Crittenden	2009-08-26	1	-0/+16